CVE-2025-52457

Severity: Medium, CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Components affected:  HBUS Devices

Version of Command Centre affected:

• 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3))
• 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5))
• 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8))
• all versions of 9.00 and prior.

Reported by: Gallagher Internal

Active exploitation of vulnerability*: No

Description of vulnerability: Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security.

Mitigation: Ensure that hardware is installed correctly, and follow all steps from the hardening guide. 

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.